Security - Cisco - Global Home Page · Patch/Remediation Monitoring Personal Firewall Network...

1© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public

Security @ Cisco

Laura KuiperConsulting Engineer, Security


Agenda

Who Is Cisco

Security Technologies @ Cisco

Summary


Cisco Security Commitment

“Security starts with me, the CEO, down to the individual contributor level…it’s mandatory.”

John ChambersPresident and CEO, Cisco Systems


So, What Is Security…

• One “size” doesn’t fit all

• What is important to an organization and what it must deliver to be successful is highly individual

• Security decisions are really business decisions

• This implies that security implementers have to understand the business, it’s culture, and it’s overall direction…


So, Who Is Cisco?

People: 38,000 Employees. 18,000 Contractors

Systems: 58,000 Windows desktops14,000 Solaris and Linux desktops84,000+ Data Center servers;210 Call Managers

Information: Cisco’s Information Assets andCustomer Information

Productivity: Investments from the past 10 years

• 8 primary multi-peered Internet gateways, 13 VPN gateways, 30+ lab Internet connections

• 900+ labs world wide

• 25+ Firewalls (Stateful PIXes, FWSM Blades, and Stateless Routers)

• 20+ Intrusion Detection Systems

• 210+ Business and Support Development Partners

• 230+ Application Service Providers

• 300 offices in 100 countries


Cisco Culture

• Employee trust

• Bias toward openness

• Embrace virtual company model

• Implement bleeding edge new technology

• Cisco’s InfoSec StrategyPreserve Cisco’s cultural openness, but with lower risk

Build awareness consistent with culture

Proactive involvement in new technology deployment

Controls only when necessary and effective

Allow employee trust, but monitor and verify


What Are the Concerns?

• Disruption affects Productivity (The CIO Problem)External source (e.g. DDoS)

Internal source (e.g. virus breakout)

Accidental source (e.g. configuration mistake)

• Loss affects Value (The CFO Problem)Random theft (e.g. break-in, no coordination)

Directed theft (e.g. espionage)

Accidental loss (e.g. presentation left behind, picked up)

• Damage affects Reputation (The CEO Problem)Internet visage (e.g. web site defacement)

Customer and shareholder confidence (loss of information)

Accidental damage (e.g. making a misstep in industry)

Three Threats: Disruption, Loss, and Damage


Security Strategy: Proactive and Reactive

Proactive Reactive

Architectural Design

Patch/Remediation Monitoring

Personal Firewall

Network Segmentation

Employee Awareness

Principal of Least Privilege

Information Classification

Network Access ControlDoS Protection

Investigations/Forensics

Legal Action

Internet Scanning

Scanning/Behavior Analysis

Incident Response

Loss

Network Segmentation Intrusion Detection

Cisco Products and Features

Cisco CSA

NAC, 802.1x

Cisco GuardRouter/Switch Features

Arbor

Addamark, MARS,NetForensics

Cisco IDS

CSIRT

Anomaly Detection

Dis

rupt

ion



Proactive Reactive


Patch/Remediation MonitoringAnomaly Detection

Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Cisco Guard Dis

rupt

ion

Arbor/Netflow


NetFlow Principles

• Inbound traffic onlyEgress NetFlow (available starting in 12.4)

• Accounts for both transit traffic and traffic destined for the router

• Works with Cisco Express Forwarding (CEF) or fast switching

Not a switching path

• Supported on all interfaces and Cisco IOS software platforms

• Returns the sub-interface information in the flow records


Key Concepts

• If you think of packet capture like a wiretap, Netflow is more like a phone bill…

• This lower level of granularity allows NetFlow to scale for verylarge amounts of traffic

• NetFlow is a form of telemetry pushed from the routers/switches

Each one can be a sensor

• Advantage of NetFlow:No changes to the network while it’s under attack; passive monitoring

Scripts can be used to poll and sample throughout the network

IDS products can plug into NetFlow


Traffic Graphs

Using Arbor Networks Peakflow


Cisco Guard

• Security solution which mitigates DDoS attacks and other forms of undesirable traffic

• Not just anomaly detectionAlso provides actions for detected anomalies

• Not an in-line solutionFailure of Cisco guard appliance does not impact network

• Auto-baseline (learning mode)Discovery of servicesAuto threshold tuningIdentifies http proxies and top sources

• Filters based on traffic profiles


Cisco Guard (Cont.)

• Provides a ‘scrubbing’ service for traffic directed towards those properties; through the use of statistical profiling techniques and anti-spoofing technology

• Filters out the bad traffic and allows the good traffic through


Cisco Guard Example

Non-Targeted Servers

Target

Cisco GuardBGP Announcement

Detect1Riverhead Detector/Cisco IDS/Arbor Peekflow


Cisco Guard Example


Target


Activate: Auto/Manual2



Cisco Guard Example


Target


Divert Only Target’s Traffic3




Cisco Guard Example


Target

Cisco GuardTraffic Destined to the Target


Identify and Filter the Malicious4




Cisco Guard Example


Target





Forward the Legitimate5

Legitimate Traffic to Target Activate: Auto/Manual2


Cisco Guard Example


Target





Forward the Legitimate5

Legitimate Traffic to Target

Non Targeted Traffic Flows Freely

6Non Targeted Traffic Flows Freely



AT CISCO: Anomaly Detection and D/DoS

• NetFlow deployed on network edges

• Arbor Peakflow used on network edges to identify D/DoS attacks and anomaly detection

• Netflow deployed on internal network

• NetQoS used capacity and anomaly detection

• Using Cisco Guard (with Arbor and Cisco Detector) to mitigate D/DoS



Proactive Reactive



Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Dis

rupt

ion

Addamark, MARS,NetForensics

Cisco IDS


CS-MARS Technologies

Network, Fw,NAT, NetflowCapture

Logs, Alerts,

Traffic flow

NAT, CVE, Anomaly, RuleCorrelate

VA, Fw, Sw, Rt, Rule Validate Drill-Down

Visualize, Prioritize, Investigate

Leveraged Mitigation

Rapid Query, Audit, Report

ContextCorrelation™ SureVector Analysis™

AutoMitigate™

• CS-MARS receives and monitors all event sourcesNetFlow, SNMP, syslog, POP, RDEP, XML APIs, raw Win, host / app logs…

• Rapid in-line event processing, embedded Oracle®, full storageDBMS transparent; raw and Protego data forensic / report archived

Continuous NFS archival with 40:1 compression

• Focus on validated incidents, not investigating isolated events


CS-MARS

• Network IntelligenceGives views into: Topology, traffic flow, device configuration, and enforcement devices

• ContextCorrelationCorrelates, reduces and categorizes events

Validates incidents

Valid Incidents

Sessions

Verify

Isolated EventsCorrelation Re

duct

ion

Rules

Router Cfg.

Firewall Log

Switch Cfg.Switch Log

Server Log

AV AlertApp Log

VA Scanner

Firewall Cfg.

Netflow

NAT Cfg.

IDS Event

...


At Cisco: IDS

• Close relations between IDS dev team and InfoSec

• Deployments of IDS:Edge Networks and Extranets

• Virtual team to review and react to alarms Bulk of Security cases initiated from alarms

IDS


At Cisco: Event Correlation

SIMSSIMS

CS-Mars

SIMS

CS-Mars

• SIMS deployed by InfosecLeveraged for reporting IDS events

• Deployment of CS-MARS planned

Collecting Netflow, IDS, syslog, CSA, QualysGuard, VirusScan data

Will be leveraged for reporting and categorization of events…



Proactive Reactive



Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Dis

rupt

ion

Cisco Products and Features

Router/Switch Features


Best Practice: Disabled Services

Global• Finger

• Pad

• Small servers

• bootp

• Identification service

• Source routing

Interface• icmp redirects

• icmp unreachables

• icmp mask reply messages

• proxy-arp

• Directed broadcast

• mop


Best Practice: Enabled Services

• Service-password encryption

• Service tcp-keepalives-in

• Service tcp-keepalives-out

• A banner

• Transport input/output

• Transport is only SSH

• Exec timeout 10

• SNMP if strings are defined

• Logging buffered

• Logging trap debugging

• AAA configurationTACACS+


At Cisco: General Configuration Template

• Regionalized information for:DNS

Logging

Log to regional syslog server

log buffer 128

SNMP

ACL for SNMP

TACACS

NTP Servers

Centralized Logging

Limit Who Can Do SNMP Queries

Consistent Time


At Cisco: Template Information

• Hostname/Prompt and System Information

• Create BannerStandard banner located in documentation

• TACACS, Passwords and TimeoutsConfigure standard TACACS

Enable secret


At Cisco: Best Practices

• Run a router audit tool on a daily basis and remediate devices

• Auto-configuration of some template features

• Policy to only permit SSH as remote access mechanism


Unicast RPF Overview

• Cisco Express Forwarding is required• Checks to determine whether any packet that is

received at a router interface arrives on one of the best return paths to the source of the packet

• Performs a reverse lookup in the Cisco Express Forwarding table—if uRPF does not find a reverse path for the packet, uRPF can drop the packet

• Two types of uRPF:Strict mode uRPF requires that the source IP address of an incoming packet has a FIB path to the SAME interface as that on which the packet arrivedLoose mode uRPF requires that the source IP address of an incoming packet has a FIB path to ANY interface on the device, except null


uRPF—Strict Mode

router(config-if)# ip verify unicast reverse-pathor: ip verify unicast source reachable-via rx allow-default

Sy D data

FIBDest PathSx int 1Sy int 2Sz null0

int 1int 2

int 3 int 1int 2

int 3

FIBDest PathS int 1Sy int 2Sz null0

Sx D data Sx D data

x

Sy

D data

sourceIP=rx int? sourceIP=rx int?

IP Verify Unicast Source Reachable—Via rx

Sx D data


Sx D data


uRPF—Loose Mode

router(config-if)# ip verify unicast source reachable-via any

Sz D data

FIBDest PathSx int 1Sy int 2Sz null0

int 1int 2

int 3 int 1int 2

int 3

FIBDest PathS int 1Sy int 2Sz null0

Sy D data Sy D data

x

Sz

D data

sourceIP=any int? sourceIP=any int?


Sz D data


At Cisco: IOS Security Features

• uRPFEdge enabled—ISP edge, Building Edge, DMZ edge…

• CAR/Traffic PolicingUsed at ISP Edge

• IOS/FW (CBAC)Remote Access devices

Standard approved for Extranet


At Cisco: Switch Security Features

• DHCP SnoopingInvestigating usage on voice vlan

• Port SecurityDeployed on some networks

• ARP InspectionIncluded in standard for Secure Data Center


Highly Scalable Multi-Context Security Services• Security Contexts (Virtual Firewalls) lower operational costs

• Reduce overall management and support costs by hosting multiple virtual firewalls in a single appliance

Enables the logical partitioning of a single Cisco PIXSecurity Appliance into multiple logical firewalls, each withtheir own unique policies and administration

Each context provides the same primary firewall featuresprovided by a standalone Cisco PIX Security Appliance

Supports up to 100 contexts, depending on platform

• Ideal solution for enterprises consolidating multiple firewalls into a single larger appliance, or service providers who offer managed firewall or hosting services

Dept/Cust 2Dept/Cust 1 Dept/Cust 3 Dept/Cust N

PIX PIX PIX PIX

Dept/Cust 1 Dept/Cust 2 Dept/Cust 3 Dept/Cust N

PIX


Transparent (Layer 2) Firewall

• Transparent Firewall provides rapid deployment security services

• Simplifies and speeds deployment of security services into SMB and Enterprise network environments

Provides ability to rapidly “drop in” Cisco PIX Security Appliances into existing networks without requiring any addressing changes

Delivers high-performance stealth L2-L7 security services and provides protection against network layer attacks

Seamless security appliance integration in complex routing, highavailability, and multicast environments

• Ideal for environments with limited IT resources/budget

PIX10.30.1.0/24

Router

SAME Subnet

Transparent Firewall

10.30.1.0/24

Router


AT CISCO: Firewalls

• Using FWSM and PIX as our corporate firewalls

• Using transparent features in some locations

• Usage of FWSM and PIX on critical networks

• Planning usage of FWSM in the Data Center

• Investigating virtual firewalls for usage in Data Center

PIX FWSM



Proactive Reactive



Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Dis

rupt

ion

Cisco CSA


CSA 4.5: Additional Features

• Can put a single rule into test mode

• Can different policies for users when they are in the office and when they’re outside it

• Can have a different policy for different users

• Can delegate security responsibility to the end user

• Can push a configuration change out to the agents


End-User Security Decisions

Personal Firewall Type of GUI Is an Option; These Apps Have Been Granted Permission to Use the Network

User Queries Can Be “Remembered”—i.e., Permanently Cached

Central Definition of High, Medium, and Low


An ROI Example

Year Cost Freq. Event Cost Cost

2003 $250,000 minor 3 $750,000

$2.5m major 1 $2.5mi $3.25mil

OPEX

2004 w/CSA

$25,000 event 6 $150,000 $150,000

OPEX

LIST $3.7mil CAPEX $3.7mil $3.85mil

33% dis $2.5mil CAPEX 1 $2.5mil $2.65mil

We Nearly Doubled the Number of Events, Yet Spent 1/20th on OPEX Handling Them

If We Didn’t Do This,We Predict We WouldHave Spent $6mil(4 Minor + 2 Major)So We Saved Moneyat List Prices

NOTE:: Numbers Used February CSA Pricing, Which Has Subsequently Lowered So We Would Have Saved Even More


At Cisco: CSA

• Cisco desktops now fully migrated to 4.5

• Rolled out to all production desktop/laptop systems

• Continuing to work on Server/DMZ rollouts Currently on all Unity Servers (50+ worldwide)

Rolled out to Call Managers (10+ currently)



Proactive Reactive



Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Dis

rupt

ion

NAC, 802.1x


NAC Logical Components

Network Access Device

AAA Server

CTA

Vendor Server

Plug-ins

CTA

SecurityApp

CTA

Cisco Trust Agent (NT, 2000, XP)

Routers (83x-72xx)

Cisco Secure ACS

Cisco CS-MARS

Cisco Security Agent

McAfee VirusScan

Symantec SAV and SCS (EDAP Customers Only)

Trend Micro OfficeScan

RADIUSEAPoUDP HCAP

Monitoring and Reporting

Host

Trend Micro Policy Manager

EAPoUDP—Extensible Authentication Protocol (EAP) over User Datagram Protocol (UDP)RADIUS—Remote Authentication Dial-In User ServiceHCAP—Host Credential Authorization Protocol


AT CISCO: NAC

• Pilot on-going with Remote Access

• Planning and standard created for deployment to Field Sales Offices

• On-going Pilot for Field Sales Offices with sites currently in monitor mode.

• Working closely with Business Units on NAC phase 2

Other Features



Proactive Reactive



Personal Firewall


Employee Awareness





Legal Action

Internet Scanning


Incident Response

Loss


Dis

rupt

ion

CSIRT


Six Phases of Incident Response

Preparation• Prep the network• Create tools• Test tools• Prep procedures• Train team• Practice

1

Post MortemWhat was done?

Can anything be done to prevent it?

How can it be less painful in the future?

6

IdentificationHow do you know about

the attack?

What tools can you use?

What’s your process for communication?

3

TRACEBACKWhere is the attack

coming from?

Where and how is it affecting the network?

4ReactionWhat options do you

have to remedy?

Which option is the best under the

circumstances?

5

IdentificationHow do you know about

the attack?

What tools can you use?

What’s your process for communication?

2


Protecting Cisco from SQL SlammerTimeline Summary

10:35 (+6 Mins) DetectedAnomaly Detection Systems@Cisco Pick It Up

Slammer Cisco10:29 PST—Slammer Launched

10:39 (+10–15 Mins) ProtectedGlobal Access Rules Applied to Stop

Inbound/Outbound Access to UDP 1434

11:00 (+30 Mins) Scanner LaunchedScan Developed; Scan for Vulnerable Hosts Initiated

11:00 PST (+30 Mins)—74000 Hosts Worldwide Infected

000 PST (+1.5 Hrs)—Massive Proliferation, Network Traffic Spiking Worldwide

1:00 (+4-8 Hrs) Detected Phase II200+ Systems Identified as Vulnerable Internally

0200 PST (+3.5 Hrs)—Protection/Remediation Strategies Posted on Symantec

(+6 Days) Protected Phase II90% of Servers Remediated;

100% Desktop Agents Turned Off


At Cisco: Stopping SQL Slammer

1. Utilized Arbor Networks’ PeakFlow DoS anomaly detection tool (combined with Cisco’s NetFlow data) to verify the anomaly of UDP 1434; it triggered alarms of the “unusual” traffic

2. Within minutes, Transport and Infosec teams responded by quickly locking down the port at every ingress/egress point globally (corporate networks, internal nets, LANs, etc.)

3. In live war room environment, worked with PSIRT/TAC and key customers as we learned more about the infection; ensured precise communication and recommendations for blocking, detection and remediation

What We Did

1. Utilized Arbor Networks’ PeakFlow DoS anomaly detection tool (combined with Cisco’s NetFlow data) to verify the anomaly of UDP 1434; it triggered alarms of the “unusual” traffic

2. Within minutes, Transport and Infosec teams responded by quickly locking down the port at every ingress/egress point globally (corporate networks, internal nets, LANs, etc.)

3. In live war room environment, worked with PSIRT/TAC and key customers as we learned more about the infection; ensured precise communication and recommendations for blocking, detection and remediation


At Cisco: Stopping SQL Slammer (Cont.)

4. Scanned Cisco with an in-house developed host-tracker which scanned our network looking for vulnerable and/or infected hosts; identified the systems then worked with desktop/hosting people to quickly remediate/patch vulnerable systems

5. Developed the first scanner on worm detection; made it publicly available

6. Performed ‘round the clock’ monitoring and follow up with all teams involved to ensure no infection and to status on remediation progress

What We Did


At Cisco: Stopping SQL Slammer—Results

• Result to CiscoNo infections found to date

• Success CriteriaPreparation—Incident Response process/team in place; 24x7 response system critical in dealing with worm

Identification/Detection—early (and new) detection mechanisms (tools) to understand the live data pertaining to anomaly detection

Classification—knowledge of network setup and normal/abnormal behaviors

Communication and Empowerment—inherent in our successes against this and other DDoS and worm threats

Reaction—quick communication with ALL network owners to lock down (via ACLs) access into (and out of) the company

Follow Up and Post Mortem—briefings on a daily basis for two weeks to ensure that the threat was eradicated, and discuss lessons learned


Summary


AT CISCO:

• Security is important to all aspects of Cisco

• InfoSec and IT Infrastructure work together to deploy Cisco Security features and products

• Incorporate both Proactive and Reactive mechanisms


Security at Cisco

www.cisco.com/security


Questions


More Security Resources

http://www.cisco.com/en/US/about/ciscoitatwork/case_studies/securi

ty.html

Case Studies

Call to get Product, Solution and Financing Information1-800-745-8308 ext 4699

Order Resourceshttp://cisco.com/en/US/ordering/index.shtml

http://www.cisco.com/en/US/about/ciscoitatwork/case_studies/security.html

http://www.cisco.com/en/US/about/ciscoitatwork/case_studies/security.html

Resourceshttp://www.cisco.com/en/US/about/ciscoitatwork/case_studies/security.htmlCase

Resourceshttp://cisco.com/en/US/ordering/index.shtml

Security - Cisco - Global Home Page · Patch/Remediation Monitoring Personal Firewall Network...

Documents

Transcript of Security - Cisco - Global Home Page · Patch/Remediation Monitoring Personal Firewall Network...